Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-23086

Error codes/messages provide information about table structure to unauthorized parties

    XMLWordPrintable

    Details

      Description

      create database db;
      create table db.t (a int, b int);
      create user foo;
      grant select (a) on db.t to foo;
       
      --connect (con1,localhost,foo,,)
      select a from db.t;
      --error ER_COLUMNACCESS_DENIED_ERROR
      select b from db.t;
      select c from db.t;
       
       
      # Cleanup
      --disconnect con1
      --connection default
      drop database db;
      drop user foo;
      

      6cee9b1953

      MariaDB [test]> select b from db.t;
      ERROR 1143 (42000): SELECT command denied to user 'foo'@'localhost' for column 'b' in table 't'
      MariaDB [test]> select c from db.t;
      ERROR 1054 (42S22): Unknown column 'c' in 'field list'
      

      Reproducible on all of 5.5-10.5 and MySQL 5.6. Fixed in MySQL 5.7, which now returns ER_COLUMNACCESS_DENIED_ERROR in both cases.

        Attachments

          Activity

            People

            Assignee:
            serg Sergei Golubchik
            Reporter:
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: